PAN AWS with multiple ELBs

cancel
Showing results for 
Search instead for 
Did you mean: 

PAN AWS with multiple ELBs

L3 Networker

Hi All,

 

I'm deploying a PAN VM in AWS.  The client has multiple ELBs configured and I'm trying to figure out the best way to deploy it.  I haven't found any documentation on Palo Alto's website regarding ELB but did find an architecture from another firewall vendor that would seem to work if there was only a single ELB.

 

The othe vendor deploys the firewall the same way Palo Alto does (following the PAN use case scenario).  They then recommend changing the ELB to point to the firewall ENI in the public subnet instead of the front end web servers ENI.  The firewall's NAT configuration then forwards the traffic to the front end web server.

 

My question is what is Palo Alto's recommended deployment in an elastic load balancing deployment and especially if multiple ELBs are configured?

 

Client setup:

 

ELB 1:  dev.company.com load balances to 2 web servers in different subnets in the same AZ
ELB 2:  prod.company.com load balances to 2 web servers in different subnets in the same AZ.

 

I setup the PAN VM the recommended way.  A single ENI each subnet:  public, private-dev1, private-dev2, private-prod1, private-prod2.

 

My first thought was to do the following:

1. Reconfigure the ELBs to point to the PAN interface in the public subnet.

2. Setup ELB to port forward.  They would listen on port 80/443 and forward to 8081-4/4433-6.

3. The PAN would then use DNAT with port translation to forward that traffic to the correct server on port 80/443.

 

The problem is that, from a post I read, ELB can't do this.  I don't *think* I can have multiple ELB configurations pointing to the same interface (the PAN ENI in the public subnet).

 

Any one have a recommendation or experience setting up ELB with a PAN VM?

 

Thanks!

Matt

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!